Clean up my private server

Each CMS (joomla, wordpress, drupal, etc.) is a potential source of infection. The same applies to software installed on your servers. The infection of your server can be used to install, for example, a Botnetsoftware, or a Bitcoin Mining

In the case of a bitcoin miner, your server's resources will be very busy, so it's quite easy to find the offending process with the command top in SSH

In the case of a botnet, this becomes a bit more critical. We can offer you our help in Managed services credit hours if you encounter any difficulties.

Generally, the procedure is as follows; we start by using the command ss (replacement for netstat) :

ss -lntpaue|grep -i 6667

This command determines which process communicates via port 6667 (IRC)

tcp SYN-SENT 0 1 ip.de.votre.serveur:44098 ip.malicious:6667 timer:(on,30sec,5) users:(("perl",7908,4)) uid:10013 ino:34808658 sk:ffff8805c23680c0
tcp SYN-SENT 0 1 ip.de.votre.serveur:47601 ip.malicious.2:6667 timer:(on,28sec,5) users:(("perl",17998,4)) uid:10013 ino:34808090 sk:ffff881086770f40
tcp SYN-SENT 0 1 ip.de.your.server:42479 ip.malicious.3:6667 timer:(on,10sec,4) users:(("perl",27298,4)) uid:10013 ino:34810070 sk:ffff88000e852e40
tcp SYN-SENT 0 1 ip.de.your.server:48434 ip.malicious.4:6667 timer:(on,10sec,4) users:(("perl",27312,4)) uid:10013 ino:34810069 sk:ffff881ee98b8280

We then know that PID 7908, a perl process, has sent a SYN to the IP "ip.malicious".

Whether the problem is a bitcoin miner, a botnet, a spam script or anything else, generally the approach is the same.

Once we have the PID of the script in question, we just have to apply the command lsof using the parameter -p in order to identify the files opened by the kernel of your server, via the identified process.

root@server:/# lsof -p 7908
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
perl 7908 www-data cwd DIR 0,147 4096 65774431 /var/www/vhosts/monserver.ispfr.net/www/images/partners
perl 7908 www-data rtd DIR 0,147 4096 64882566 /
perl 7908 www-data txt REG 0.147 6928 64907675 /usr/bin/perl
perl 7908 www-data mem REG 0.147 80712 66365480 /lib/libresolv-2.11.3.so
perl 7908 www-data mem REG 0.147 22928 66365674 /lib/libnss_dns-2.11.3.so
perl 7908 www-data mem REG 0.147 51728 66365701 /lib/libnss_files-2.11.3.so
perl 7908 www-data mem REG 0.147 43552 66365618 /lib/libnss_nis-2.11.3.so
perl 7908 www-data mem REG 0.147 89064 66365442 /lib/libnsl-2.11.3.so
perl 7908 www-data mem REG 0.147 31616 66365673 /lib/libnss_compat-2.11.3.so
perl 7908 www-data mem REG 0.147 17640 42543840 /usr/lib/perl/5.10.1/auto/Digest/MD5/MD5.so
perl 7908 www-data mem REG 0.147 13992 42543857 /usr/lib/perl/5.10.1/auto/MIME/Base64/Base64.so
perl 7908 www-data mem REG 0.147 25976 36315140 /usr/lib/perl/5.10.1/auto/Socket/Socket.so
perl 7908 www-data mem REG 0.147 86072 42550019 /usr/lib/perl/5.10.1/auto/Storable/Storable.so
perl 7908 www-data mem REG 0.147 18120 36241410 /usr/lib/perl/5.10.1/auto/Fcntl/Fcntl.so
perl 7908 www-data mem REG 0.147 19920 36282369 /usr/lib/perl/5.10.1/auto/IO/IO.so
perl 7908 www-data mem REG 0.147 35104 66365563 /lib/libcrypt-2.11.3.so
perl 7908 www-data mem REG 0.147 1437064 66365693 /lib/libc-2.11.3.so
perl 7908 www-data mem REG 0,147 131258 66365502 /lib/libpthread-2.11.3.so
perl 7908 www-data mem REG 0.147 530736 66365430 /lib/libm-2.11.3.so
perl 7908 www-data mem REG 0,147 14696 66365682 /lib/libdl-2.11.3.so
perl 7908 www-data mem REG 0,147 1494792 65005681 /usr/lib/libperl.so.5.10.1
perl 7908 www-data mem REG 0.147 128744 66365635 /lib/ld-2.11.3.so
perl 7908 www-data 0r CHR 1,3 0t0 64890531 /dev/null
perl 7908 www-data 1w FIFO 0,8 0t0 880179538 pipe
perl 7908 www-data 2w FIFO 0,8 0t0 880179538 pipe
perl 7908 www-data 3u IPv4 2691366378 0t0 TCP monserveur.ispfr.net:41386->87.250.73.120:ircd (SYN_SENT)
perl 7908 www-data 54r FIFO 0,8 0t0 875280500 pipe
perl 7908 www-data 55w FIFO 0,8 0t0 875280500 pipe
perl 7908 www-data 56r FIFO 0.8 0t0 875280501 pipe
perl 7908 www-data 57w FIFO 0.8 0t0 875280501 pipe

We can see that the first line identifies the incriminated file: perl 7908 www-data cwd DIR 0.147 4096 65774431 /var/www/vhosts/monserver.ispfr.net/www/images/partners

The directory /var/www/vhosts/monserver.ispfr.net/www/images/partners therefore contains the incriminated file.

So we open the file, in order to know what it contains:

root@monserveur:/var/www/vhosts/monserveur.ispfr.net/www/images/partenaires# ls
DeNia.phtml image55.jpg jrtv.jpg d.jpg index.html xml.phtml

If you open the file DeNia.phtml

?php
/*******************************************/
/* c99 injektor v.9 (C) 2011 */
/* Re-coded and modified By DeNia */
/* #Denia@irc.allnetwork.org */
/*******************************************/

We can then find some traces on the Internet of the origin of the attack. We can, therefore, assume that all the sites on your server that are on the same CMS are all infected in the same way.

The files in .jpg present in this folder are not necessarily all legitimate; if we open the first one in the list :

# head image55.jpg
#!/usr/bin/perl
use HTTP::Request;
use LWP::UserAgent;
use IO::Socket;
use IO::Select;
use Socket;
use MIME::Base64;
use File::Basename;
use URI::Escape;
use Digest::MD5 qw(md5_hex);

You can see that this is a malicious script. The same goes for the following image:

# head d.jpg
#!/usr/bin/perl

use HTTP::Request;
use HTTP::Request::Common;
use HTTP::Request::Common qw(POST);
use LWP::Simple;
use LWP 5.64;
use LWP::UserAgent;
use Socket;
use IO::Socket;

Once you are sure you have identified the malicious scripts, you should cut off the threat.

For this, a simple and radical way works very well:

cd /the/path/my/folder/content/files/infected/
chmod -R 0 *

Then we cut off the botnet activity:

kill -9 7908

(7908 corresponding of course to the PID of the script)

The CMS are no exception to the need to update. It is therefore primordial to take care of the update of your CMS in the most consistent manner possible.

We invite you to turn to your system administrator if you need help, in case this documentation is not sufficient.